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Abstract 

The purpose of a cryptosystem is to allow people to communicate securely 
over an open channel. Before one can discuss whether a cryptosystem 
meets this goal, however, one must first rigorously define what is meant by 
security. 

Three very different formal definitions of security for public-key cryp- 
tosystems have been proposed — two by Goldwasser and Micali and one by 
Yao. In this thesis, it is shown that the three definitions are essentially 
equivalent. 

As originally proposed, the three definitions are not equivalent. The 
inequivalence, however, is caused only by some minor technical choices. 
After rectifying those choices, we prove all three definitions to be equivalent. 
This equivalence provides evidence that the right formalization of the notion 
of security has been reached. 
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Chapter 1 



Introduction 



1.1 Public-Key Cryptography 

The era of modem cryptography began with Diffie and Hellman's famous 
1976 paper [4] which presented the concept of public-key cryptography. 
Informally, there is a community of users, A, B, . . . In the Diffie-Hellman 
paradigm, each user U in the system selects a pair of encryption/decryption 
algorithms {Eu,Du) such that for all x, D v {E v (x)) = x. User U publishes 
E v (in an ad hoc public file) but keeps D v secret. Any other user, in order 
to send securely a binary string m to U, first looks up E v , then computes 
y ~ Eu(m), and finally sends y to U. 

Diffie and Hellman insisted that such a system be secure against any ad- 
versary who wiretaps the communications channels, intercepts the cypher- 
text y and tries to compute Du{y). Note that the concern here is only 
with passive adversaries; our adversary is not, for example, allowed either 
to alter the messages sent or to inject his own messages into the system. 

The security of cryptosystems based on the Diffie-Hellman model, and in 
fact the security of every cryptosystem I will discuss in this thesis, is based 
on complexity theory. That is to say, statements such as "No adversary 
can extract the plaintext" or "No adversary can compute any information 
about the plaintext" really mean that it is computationally infeasible for 
an adversary to do such a thing. 
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The first concrete implementation of a cryptosystem based on Diffie and 
Hellman's idea was the RSA scheme of Rivest, Shamir, and Adleman [8]. 
A brief description of their cryptosystem is given in below. 



1.2 The RSA Public-key system 

Alice's Preprocessing steps: 

1. Find two random distinct primes pi,Pi. 

2. Compute n = P\Pz. 

3. Compute ip(n) = [p x - l)(p 2 - 2). 

4. Compute s,t such that st = 1 mod <p(n). Thus (s,<p(n)) = 1. (Given 
a modulus m, there is a fast algorithm for computing multiplicative 
inverses mod m. Hence all we need to do is pick 5 at random from 
^%{n) an d then compute its inverse.) 

5. Publish s,n in some public file ("phone book"), but keep t secret. 
Instructions for Bob: 

1. Bob has a message m = "Hi! ..." that he wishes to send to Alice. 
First he must of course represent m as a binary number in some 
agreed upon way. 

2. Bob then computes y = m* mod n and sends y to Alice. 

Instructions for Alice: 

Alice can easily recover the plaintext by computing m = y t mod n. 
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1.3 Probabilistic Encryption 

The RSA scheme— and indeed, any cryptosystem following the Difne-Hell- 
man model— is deterministic. That is to say, any given plaintext message 
has a unique encryption. As Goldwasser and Micali pointed out [5], dis- 
cussing the security of a deterministic public-key cryptosystem is a tricky 
business. For instance, a deterministic public-key .cryptosystem cannot be 
used to send securely a given small set of messages, say {0, 1, ... , 10}. In 
fact, any "code breaking algorithm" may, on input E and a cyphertext y, 
check first whether E{i) = y for i = 0, . . . , 10. 

Also.jjven when the tapper is not capable of retrieving m from E and 
E(m), he may be able to compute some partial information about m say 
the value of P{m) for some predicate P. From this point of view, if messages 
are deterministically encrypted, then an adversary can always extract some 
information about the plaintext from the cyphertext. At the very least, an 
adversary can easily compute, given only E and the cyphertext, y, 'the 
following predicate P E : 

P E {m) = { ° if the last bit of the encryption E(m) is 

\ 1 if the last bit of the encryption E(m) is 1. t 1-1 ) 

We are not claiming that P E is an interesting predicate. We are simply 
pointing out the difficulties of discussing the security of deterministic cryp- 
tosystems. 

To prevent an adversary from computing even such partial information 
about the plaintext from the cyphertext, Goldwasser and Micali suggested 
using probabilistic encryption algorithms. In other words, one may think of 
the encryption algorithm as an algorithm with two inputs, E = E{-, •), the 
message to be transmitted and a random string (selected by the sender). If 
one chooses a probabilistic encryption algorithm properly, then every plain- 
text message will have many different encryptions, but a given cyphertext 
will still be the encryption of only one plaintext message. 

This choice also allowed Goldwasser and Micali to introduce rigorous 
and convincing notions of security. Changing the scenario from determin- 
istic to probabilistic becomes necessary as their security conditions cannot 
be met by any deterministic cryptosystem. 
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1.4 Security 

The key desideratum for any cryptosystem is that encrypted messages must 
be secure. Before one can discuss whether a cryptosystem has this prop- 
erty, however, one must first rigorously define what is meant by security. 
Three different rigorous notions of security have been proposed. Gold- 
wasser and Micali [5] suggested two different definitions, polynomial se- 
curity and semantic security, and proved that the first notion implies the 
second. Yao [11] proposed a third definition, one inspired by information 
theory, and suggested that it implies semantic security. 

Not completely knowing the relative strength of these definitions is 
rather unpleasant. For instance, several protocols have been proved correct 
adopting the notion of polynomial security. Are these protocols that are 
secure with respect to that particular definition, or are they secure in a 
more general sense? In other words, a natural question arises: Which of 
the definitions is the "correct" one? Even better: How should we decide 
the "correctness" of a definition? 

The best possible answer to these questions would be to find that the 
proposed definitions — each attempting to be as general as possible — are all 
equivalent. In this case, one obviously no longer has to decide which one 
definition is best. Moreover, the equivalence suggests that one has indeed 
found a strong, natural definition. 

In this thesis, I will show that the three notions are essentially equiva- 
lent. The three originally proposed definitions were not equivalent. How- 
ever, as I will point out, this inequivalence was caused only by some minor 
technical choices. We can prove, after rectifying these marginal choices, the 
desired equivalences and keep the spirit of the definitions intact. 



Chapter 2 

Notation and Public-key 
Scenarios 



2.1 Notation and Conventions for Probabi- 
listic Algorithms. 

The notation I present here is almost identical to that introduced by Gold- 
wasser, Micali, Rivest [6]. 

I emphasize the number of inputs received by an algorithm as follows If 
algonthm A receives only one input I write M(-)" , if it receives two inputs 
A[-, ■) and so on. 

"PS" will stand for "probability space"; in this paper we only consider 
countable probability spaces. In fact, we deal almost exclusively with prob- 
ability spaces arising from probabilistic algorithms. 

If A(-) is a probabilistic algorithm, then for any input i, the notation 
A[t) refers to the PS which assigns to the string a the probability that A 
on input i, outputs a. Notice the special case where A takes no inputs; in 
this case the notation A refers to the algorithm itself, whereas the notation 
A{) refers to the PS defined by running A with no input. If S is a PS 
denote by Pr 5 (e) the probability that S associates with element e. Also' 
we denote by [S\ the set of elements which S gives positive probability. In 
the case that [S] is a singleton set {e} we will use S to denote the value e; 

11 
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this is in agreement with traditional notation. (For instance, if A(-) is an 
algorithm that, on input i, outputs t' 3 , then we may write ,4(2) = 8 instead 
of [,4(2)] = {8}.) 

If /(•) and g{-,---) are probabilistic algorithms then /(?(■,■••)) is the 
probabilistic algorithm obtained by composing / and g (i.e. running / 
on y's output). For any inputs x,y, ... the associated probability space is 
denoted f{g{x,y,...)). 

If S is any PS, then x <— S denotes the algorithm which assigns to x an 
element randomly selected according to S; that is, x is assigned the value e 
with probability Pr 5 (e). If F is a finite set, then the notation x •»— F denotes 
the algorithm which assigns to x an element randomly selected from the 
PS which has sample space F and the uniform probability distribution on 
the sample points. Thus, in particular, x «— {0, 1} means x is assigned the 
result of a coin toss. 

The notation Pr(p(x, y, . . .) | x <— 5; y <- T; . . .) denotes the probabil- 
ity that the predicate p(x,y, . . .) will be true, after the ordered execution of 
the algorithms x <— S, y *— T, etc. I use analogous notation for expected 
value — Ex(/(x,y, ...) | x *- S; y <- T; . . .) — where now / is a function 
which takes numerical values. 

Let RA denote the set of probabilistic polynomial-time algorithms. I 
assume that a natural representation of these algorithms as binary strings 
is used. 

By l n we denote the unary representation of integer n, i.e. 

11. ..1 



2.2 Cryptographic Scenarios 

Here I specify those elements that are necessary for all public-key cryptog- 
raphy. 

A cryptographic scenario consists of the following components: 

• A security parameter n which is chosen by the user when he creates 
his encryption and decryption algorithms. The parameter n will de- 
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termine a number of quantities (length of plaintext messages, overall 
security, etc.). 

• A sequence of message spaces, M = {M n } from which all plaintext 
messages will be drawn. M n consists of all messages allowed to be sent 
if the security parameter has been set equal to n. In order to make our 
notation simpler, (but without loss of generality), we'll assume that 
M n = {0, 1}". There is a probability distribution on each message 
space, Pr„ : M„ -► [0, 1] such that Z meMn Pr„(m) = 1. 

• A public-key cryptosystem is an algorithm C E ZA that on input 1" 
outputs the description of two polynomial-size circuits E and D such 
that: 

1. E has n inputs and l(n) outputs, and D has l(n) inputs and 
n outputs. (/ is some polynomial that gives the length of the 
cyphertext.) 

2. E is probabilistic; D is deterministic. 

3. For all m e £", Pr(£>(a) = m\{E,D)<- C(l"); a - E{m)) = 1. 

Notice that [E(m)\ is a set which is typically quite large. Our notation 
requires us to write a e [E[m)} to refer to a, a particular encryption 
of m. Nevertheless, we will sometimes sloppily write E(m) for a 
particular encryption of m when the meaning is clear. 

• The number of "allowed passes.'' This number specifies how A and 
B agree upon an encryption algorithm E output by the public-key 
cryptosystem. To this crucial notion (surprisingly neglected so far), 
we devote the next section. 



2.3 Passes 

Within the public-key model, A and B can alternate communicating back 
and forth as many times as they feel are necessary to achieve security. Call 
each alternation a pass. 

Any number of passes are, of course, permissible. I concentrate on what 
I believe are the two most interesting and important cases, one and three 
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passes. I do not consider more than three passes, because, if trapdoor 
permutations exist, a well designed probabilistic encryption scheme can 
achieve as much security as is possible using only three passes. 

Three-pass systems 

The three-pass case is, perhaps, the most natural to think about. It cor- 
responds to a telephone conversation. A has a message m that she wants 
to securely communicate to B. A calls up B and says, "I have a message 
I'd like to send to you." B, so alerted, proceeds to generate an encryp- 
tion/decryption algorithm pair, [E,D), and tells A, "Please use E to en- 
crypt your 'message." A then uses E to encrypt her message and tells B 
"£(m)." 

Notice the key property of a three-pass system: The message and the 
encryption algorithm are selected independently of one another. We are 
nevertheless in a public-key model, since anyone tapping the phone line 
gets to hear B tell E to A. 



One-pass systems 

A one-pass system corresponds to what is commonly called a public file 
system. In the one-pass model, A simply looks up B's public encryption 
algorithm, E, in a "phone book" and uses it to encrypt her message. (One 
pass is a slight misnomer. At some point, in what we may view as a 
preprocessing stage, B must have communicated his encryption algorithm, 
presumably by telling it to whomever publishes the phone book of encryp- 
tion algorithms, and thus indirectly to A. "One and a half passes" might 
be more accurate. "Half" refers to the preprocessing stage that needs to 
be performed only once.) In this case, the choice of message can depend 
on E. 



Chapter 3 
Definitions of Security 

3.1 Informal Discussion 

The main result of this thesis is 

GM-security, semantic security, and Y-security (all formally de- 
fined later in this chapter) are equivalent for both three-pass 
and one-pass cryptosystems. 

Interestingly, the equivalence still holds in the one-pass scenario, but the 
notions of security vary between the one-pass and three-pass scenarios. This 
point has not been given the proper attention, because people frequently 
confuse the notion of one-pass public-key cryptography with public key 
cryptography in general. 

The distinction, however, is crucial for avoiding errors, particularly in 
cryptographic protocols. Let us informally state the two definitions of se- 
curity that are achievable in the two scenarios if trapdoor permutations 
exist. 

3-pass A cryptosystem is secure if, for every message m in the message 
space, it is impossible to efficiently distinguish an encryption of m 
from random noise. 



15 
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1-pass A cryptosystem is secure if, for every message m that is efficiently 
computable on input the encryption algorithm alone, it is impossible 
to efficiently distinguish an encryption of m from random noise. 

In other words, in the one-pass scenario one cannot just blithely write, "For 
all messages m." For instance, if one closely analyzes all known public-key 
cryptosystems, it is conceivable that if [E,D) is an encryption/decryption 
pair, then D can be easily computed from E{D). For instance, the con- 
structive reduction of security to quadratic residuosity given by Goldwasser 
and Micali [5] for their cryptosystem would vanish if the encrypted message 
is allowed to be D itself. 1 

Such problems cannot arise in the three-pass scenario because the en- 
cryption algorithm E is selected after and independently of the message 



m. 



In this thesis, we will only prove the desired equivalences in detail for 
the three-pass scenario. The proof for the one-pass scenario is sketched 
in the final chapter. The reason for this choice is that the definitions of 
security are much more easily stated for three-pass systems. It is much 
more convenient to say, "For all messages m," than "For all messages m 
that are efficiently computable given the encryption algorithm as an input." 

3.2 GM-security (3-pass) 

This definition is essentially what Goldwasser and Micali [5] called polyno- 
mial security. 

A line tapper is a family of polynomial-size probabilistic circuits T = 
{T n }. Each T n takes four strings as input and outputs either or 1. How- 
ever, to make our next equation more readable, we will treat TVs output 
as being either its second or third input (0 or 1 respectively). 

Notice that if Bob publishes an encryption algorithm E in the public file while keeping 
its associated decryption algorithm D secret, then any other user, being limited to efficient 
computation and ignorant of D, necessarily selects her message m efficiently from the input 
E— maybe without even looking at E— and perhaps other inputs altogether independent 
of (E,D). However, in designing cryptographic protocols, one would often like to be able 
to transmit things like E{D). For instance, if that type of message were allowed, one 
would have a trivial solution to the problem of verifiable secret sharing [3]. 



3.3. SEMANTIC SECURITY (3-PASS) 
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Definition Let C be a public-key cryptosystem. C is GM-secure if for 
aU hne tappers T and c > 0, for all sufficiently large n, for every %ffh € 



Pr(T n (E,mo, rm.or) = m | m - {m 0) mj ; E «- C(l n ); a «- E(m)) < - + n" c . 

(3.1) 

JZamarA: In reading the above definition, one should pay close attention 
to our notation. Upon casual consideration of 3.1, one might conclude that 

here aren t any GM-secure cryptosystems! After all, the definition says 
that the encryption E must be secure against any m and m u both of which 
are giveiT as inputs to the line tapper. What happens if we put m = D 
a description of the decryption algorithm? The answer to this question 

s that our notation specifies that first we choose m from {m ,m l} (and 
thus rno and S already had been set), and then we choose our encryption 
algorithm. If C is GM-secure, then the probability that C(l») assigns to 
any given output is quite small, say 0(2-). Thus there's little worry that 
C will just happen to output a decryption algorithm D = m . Notice how 
the above definition (via our notation) models the three-pass scenario. 

3.3 Semantic Security (3-pass) 

Again, this definition is essentially the same as in [5]. It can be viewed 
^ P rr° mi&l time bounded v ^sion of Shannon's "perfect secrecy" flOl 
Tins definition makes use of the probability distributions Pr„ over the sets 
of messages M n . Informally, let / be any function, / : M - V = {any 
values the adversary likes}. Intuitively, / should be thought of as some 
information about the plaintext that the adversary would like to be able to 
compute from the cyphertext-say the first seventeen bits of the plaintext 
A cryptosystem is semantically secure if no adversary, on input Elm) can 
compute /(m) more accurately than by random guessing. 

Definition Let C be a public-key cryptosystem, M = {M n } a sequence 
of message spaces, and V be any set. Let J = Iff ■ M n -+ V | E G [C(l n )}} 
be any set of functions. For veV,v,e denote by f*~\ v ) the inverse image 
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of v; that is, the set [m <E M n \ f£{m) = v). Then the probability of the 
most probable value for f{m) is pf = max {E me/if -i (u) Pr n (m) | v e v). 
pf is the maximum probability with which one could guess /f (m) without 
having any idea whatsoever what m is. 

C is semantically secure if for every family of polynomial-size proba- 
bilistic circuits A = {A n (-,-)}, for all c > 0, and for all sufficiently large 
n 

Pr( A n {E, a) = /* ( m ) | m <- M n ; £ <- C(l n ); a <- £(m) ) < pf + n" c . 

(3.2) 



3.4 Y-security (3-pass) 

Yao's definition [11] is inspired by information theory, but its context differs 
from classical information theory in that the communicating agents, A(lice) 
and B(ob), are limited to probabilistic polynomial-time computations. 

An intuitive explanation of Yao's definition is the following: A has a 
series of n* messages, selected from a probability space known to both A and 
B, and an encryption of each message. She wishes to transmit enough bits 
to B so that he can (in polynomial time with very high probability) compute 
all the plaintexts. A cryptosystem is Y-secure if the average number of bits 
A must send B is the same regardless of whether B possesses a copy of the 
cyphertext. 

I now make this notion precise, first by defining "Alice and Bob," and 
then eventually defining Y-security itself. 

Let M = {M n } be a sequence of message spaces. Each M n is {0, l} n 
with a fixed probability distribution. (Note that an information theorist 
would consider M to be a sequence of sources.) 

Let e(n) be any function that vanishes faster than n~ c for all positive c. 

For the sake of compactness of notation, the expression m will denote 
a particular series of n k messages. That is, m stands for mi,m 2 , . . . ,m n *. 



3.4. Y-SECURITY (3-PASS) 
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Let /be any positive function such that /(„) < „. Intuitively f(n) is 

he number of bits per message that A must transmit to B in o der fo B 

to recover the plaintexts. Recall that all the messages in M n have length 

Definition An f[n) c/d pair (c/d for compressor/decompressor) for M 

r i ° v 7 I" ° f probabiIistic Polynomial-size circuits, ({A } B vf 

de^ g rge e J 0ll ° Wing ^ ^^ ** ~tant Vl^tl 

1. "B n understands A n . n 

Pr(m = y\m 1 <-M n ;...;m nk +- Mn ;P^ A n (m); ( 3 . 3) 

y<-B n (/3)) = i_o(e( n )). 

2. M n transmits only f(n) bits per message." 



Ex 



W 



i^i i ., 

n * \m x *- M„; . . . ; m nk +- M n ; /3 <- 4 n (rn) 



</W- (3.4) 



3. "The output of A n can be parsed." 

For all polynomials Q there exists a probabilistic polynomial-time 

swTorT f SUC V\ at ^ ^ ** InPUt " ^ a --atenat^d 
string of Q(n) /? s , each of which is a good output from A n and 

separates them. That is, its incut is R R R j •* 

/?,=&/? i ^* ™ ^ 2 " - * ^M and lts out put is 

Pi#P2# • . . #/?g (n) . We require that 

Pr(S<5 correctly splits /? l/?2 . ,.0 Q{n)) = x _ 0(e(n)) ^ 

c«. a fr a, ? ; -* The r " qUirement that 5<? exist » a technical requirement. It 
creates a finite analogue of classical information theory's requirement that 
messages be transmitted one bit at a time, in an infinfte sequencTof bits 
We say that the cost of communicating M is less than or equal to f(n) 

We define C(M) > /( n ) to be the negation of C(M) < /(n)-that is 

TcTmT rr Uni f ing M " mUSt ^ at l6aSt ' W b ^ ^definition 
or o^iWj = /( n j is analogous. 
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Let C be a cryptosystem. We define C(M | E C {M)), the cost of com- 
municating M given encryptions from C in a manner analogous to C(M). 
The only difference is that now both A n and B n also get E and the n* 
values of some encryption function E e [C(l n )] as inputs. (We now call 
({ Ai} , {B n }) a shared cyphertext c/d pair.) That is, for this definition we 
must rewrite Equation 3.3 above to read: 

Pr(m = y \m x <- M n ; ...;m„* <r- M n \ E *- C[l n )\ (3.6) 

ai +- Eimi); . . . ; a n k <- ^(m„*); 
/?<-A n (£,m,a);y^-B n (£,/3,5)) = 1 - 0(e(n)). 
An analogous change must also be made to Equation 3.4. 

Notice that for this definition, the probabilities involved must be taken 
over the different choices of E from C as well as everything else. 

Definition Let C be a public-key cryptosystem. Fix a sequence of mes- 
sage spaces M = {M n } (and thus the probability distribution on each M n ). 
We say that C is Y-secure with respect to M if 

C{M) = C{M | E C {M)) + 0{s(n)). (3.7) 

We say that C is Y-secure if for all M, C is Y-secure with respect to M . 



3.5 The original definitions vs. mine 

As I discussed in Chapter 1, I made minor changes in the cryptographic 
scenario from [5] and [11]. Here I will spell out those changes are and why 
they were made. 



Changes to Goldwasser and Micali's Definition 

There are two ways a cryptosystem (the server that generates encryp- 
tion/decryption algorithm pairs) can achieve security: 

1. The cryptosystem gets a description of a message space M (and thus 
its probability distribution) as one of its inputs and will output an 
encryption/decryption algorithm pair to securely encrypt M. 
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2. The cryptosystem is told nothing about the message space. The en- 
cryption algorithms it outputs are supposed to be secure for every 
possible message space. 

We will call the former cryptosystems aware and the latter oblivious. 

Goldwasser and Micali consider aware cryptosystems for both of their 

definitions of security [5]; Yao doesn't make it clear, which type of cryptosys- 

em he is assuming for his definition of security [11]. I believe it makes more 

sense to consider oblivious cryptosystems, for both theoretical and applied 

reasons. *^i«.vl 

thr^U h T tiCal / ea5 ° n f ° r Preferrin 3 oblivious cryptosystems is that all 
three definitions of security are equivalent. (See Chapter 4.) This is a 
desirable property that fails to hold for aware cryptosystems as we wiH 
show in the next section. ' 

The practical reason for preferring oblivious cryptosystems is that, al- 
though it is certainly conceivable that having knowledge of the message 

111 T ^ ° ne t0 d6Sign a be " er GnC ^ tion aI ^hm, cryptogra- 

m-have m fact normally tried to design cryptosystems thai are secure 

arbitLTr^ ^^ ^ ^^ C ° nSider the '^system based on 
arbitrary trapdoor predicates proposed by Goldwasser and Micali [5l Al- 
though they only considered security in the aware cryptosystem sense their 
cryptosystem is in fact secure in the stronger, oblivious sense. 

Changes to Yao's Definition 

In [11], Yao assumes deterministic private key cryptography, but the defi- 
nition is immediately extended to probabilistic public-key cryptography. 

Yao defines the compressor A and decompressor B to be Turing ma- 
chines, not circuits. I have switched to circuits because it is not clear that 
there are any secure cryptosystems with respect to probabilistic Turing ma- 
chines. It might be that one can always achieve greater polynomial-time 
compression given the cyphertext simply because having a shared random 
(enough) string (m this case the cyphertext!) helps. If it does help, how- 
ever, having made the compressor and decompressor nonuniform circuits 
we can always hardwire in a shared random string of bits 
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3.6 Inequivalence of the original definitions 

In this section, we point out that, for aware cryptosystems, GM-security 
is a notion stronger than either semantic security or Y-security. We do 
this in the following two claims, each supported by an informal argument. 
These claims can be easily transformed to theorems after formalizing the 
discussed security notions in terms of aware cryptosystems, a tedious effort 
once we have realized that the aware setting is not the "right" one. 

Claim 1 If any GM-secure aware public-key cryptosystem exists, then there 
exist aware public-key cryptosystems that are semantically secure but not 
GM-secure. *" 

Let C ('•,•) be any GM-secure (and thus semantically secure) aware cryp- 
tosystem. We'll construct a C'(-,-) that is still semantically secure, but is 
not GM-secure. 

C behaves identically to C for all message spaces, except for the message 
space {0, l} n with uniform probability distribution. In this case, C runs C 
to compute an encryption algorithm E, and then outputs the algorithm E' 
defined by: 

0" if z = n 
E'{x) = I l n if x = 1" (3.8) 

E(x) otherwise 

C is clearly not GM-secure, because, for the special message space 
described above, there are two messages, 0" and 1", that are easily dis- 
tinguished by their encryptions. However, C is still semantically secure. 
Those two messages have such a low probability weight that they won't 
give an adversary any significant advantage — on average — in computing a 
function of the plaintext on input the cyphertext. □ 

Claim 2 If any GM-secure aware public-key cryptosystem exists, then there 
exist aware public-key cryptosystems that are Y-secure but not GM-secure. 

We construct exactly the same C as we did for the previous claim. C is 
of course not GM-secure. However, the two "weak messages" have such 
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Chapter 4 



Main Results 



In this chapter we provide the proof of the equivalence of GM-security, se- 
mantic security, and Y-security. We choose to do these proofs by showing 
that GM-security is equivalent to Y-security and that GM-security is equiv- 
alent to semantic-security. We present here only three of the four necessary 
implications. The proof that GM-security implies semantic security may be 
found in [5]. We'll present the three proofs in order of increasing difficulty 
and technical complexity. 



4.1 Semantic Security Implies GM-security 

This proof is quite simple. If a cryptosystem is not GM-secure, then there 
exist two messages, m x and m 2 , which we can easily distinguish. If we make 
a new message space in which these are the only messages, then given only 
cyphertext, one has a better than random chance of figuring out which of 
the two plaintext messages the cyphertext represents. 

Theorem 1 Let C be a public-key cryptosystem. If C is semantically se- 
cure, then C is GM-secure. 

Proof Again we prove the contrapositive. Let C be a public-key cryp- 
tosystem that is not GM-secure. We will prove that C is not semantically 



secure. 
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Formally, C is not GM-secure means that there exist a line tapper T 
which C > SU ^^ f ° r infinitdy many n there are »*?,»*? e M n for 

Pr(T n (E, mj, mj, a) = m | m<- {mj, m?} ; E - C(l n ); a «- E(m)) > - + -. 

2 n c 
(4.1) 

We construct a new message space M n as follows: For those n for which 
equation 4.1 holds, Pr n (m?) = 1/2 and Pr B (mJ) = 1/2. 

We've set up the message space so one can simply guess the plaintext 

fro "T S I C l PhGTteXt - M ° re Predsely ' a circuit g uessin g the plaintext 
from the cyphertext can use T as a subroutine and thus obtain a polynomial 
advantage. On the other hand, without seeing the cyphertext, circuits with 
no mput can only randomly guess the plaintext. Q.E.D. 

4.2 Y-security implies GM-security 

In the proof of the next theorem, we use a technical lemma that is a varia- 
tion of Chernoff's bound [2]. The derivation of the lemma from Chernoff's 
bound is in the appendix. 

Lemma 1 Let X be a random variable having binomial distribution, with 
n tnals and probability of success p. For < a < 1/2 < p < 1, we have 
-rr(A < an) < e~ 2 ( p ~ a > n . 

Theorem 2 (Rackoff [7]) Let C be a cryptosystem. If C is Y-secure, then 
C is GM-secure. 

Proof Again we will prove the contrapositive. Let C be a cryptosys- 
em that is not GM-secure for some message space M. There exists a 
family of line tappers T = {T n } such that for infinitely many n, there 
are m , mi e M n such that T n can distinguish between them. Consider 
now a new message space M' that, for those n, has Pr„(m") = 1/2 
Pr n (ml) = 1/2, and Pr„(m) = for all other m e {0 l} n 
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Clearly C(M') = 1: any circuits not sharing cyphertext will need one 
bit per message to communicate outputs from M 1 . This fact follows from 
classical information theory considerations. 

On the other hand, we will now show that C(M' | E C {M')) < 1 - l/n k . 
(The value of the constant k will be specified below.) This value is achieved 
by a shared cyphertext c/d pair that transmits n k messages at a time. 

A n gets n k messages in both plain and cleartext.as its input. Since 
there are only two messages in M' n , each message can be considered to 
be a bit b and each cyphertext the encryption of a bit. That is to say, 
An's input is 6i,6 2 , . . . ,&„*, , a u a 2 , . . . , a n k where a,- G [£(&,)]• A n now 
XORs each adjacent pair of messages (bits). That is, put c, = 6,- © 6, +1 for 
i = 1,2, .. . ,~n k - 1. Put /? = Cl c 2 ■ • • c n *_ 1# This (3 is the "hint" that A n 
sends to B n . Obviously, |/?|/n* = 1 — l/n k . 

Now, can B n , given (3 and the a,-s as its input, determine the plaintext 
with probability 1 - 0(e(ti))? Yes. The "hint", /?, constrains B n to only 
two possible choices of values for the b f . That is, if B n decides that b x = 0, 
then it knows the value of all the bits — say Viv 2 ...v n k. On the other hand, 
if B n decides that b x = 1, then the whole series of messages must of have 
been uiv 2 . . . v n t (where v is the compliment of u). 

B n also has a line tapper, T n , that it can use to test the a,-. B n runs 
T n on each a,' and obtains T n 's opinion as to what each bit was. Call 
this sequence t x t 2 ...t n k. Since C is not GM-secure, each ti is correct with 
probability p = | + 1/V, for some fixed ;'. By Lemma 1 (with a — 1/2 and 
"n = n*"), if we make k > 2j + 1, then the majority of t,s will be correct 
with probability 1 - 0(e~"). B n compares the £,- to both the v,- and the u,-, 
and decides either 6 X = if the majority of £,• coincide with the v,-, or 6j = 1 
if the majority of the i t - coincide with the t/,-. Q.E.D. 

4.3 GM-security implies Y-security 

Theorem 3 Let C be a public-key cryptosystem. If C is GM-secure, then 
C is Y-secure. 

Proof We'll prove the contrapositive. A bird's eye view of our proof is 
as follows. Assuming that C is not Y-secure, there exists a good shared 
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cyphertext c/d pair that manages to communicate using "few" bits This 
pair will allow us to test (for some special pair of messages m x and m 2 ) 
whether a particular a is the encryption of either m x or m 2 thus violating 
the GM-secunty condition. Namely, if the pair works successfully on inputs 
a and m x , we declare a to be an encryption of m x ; otherwise we declare a 
to be an encryption of m 2 . 

Let us proceed formally. Since C is not Y-secure, there is a particular 
message space sequence, M = {M n }, such that C is not Y-secure for M 
inat is to say, there exist a shared cyphertext c/d pair AB = {{A } {B }) 
a positive integer k, and a polynomial P such that 

(*) A n communicates n k messages from M n to B n using "few" bits per 
message-on top of the cyphertext which they get to share for free. 

(**) Furthermore for every c/d pair AB', there exists an infinite subset 
iV C N, such that for all n e N', on average AB' uses at least 1/P(n) 
more bits per message than AB does. 

We're now going to run a series of experiments to see how AB behaves 
on inputs that it doesn't "expect." We begin, however, by running a control 
experiment: 

In experiment n-EXP , we pick n" messages m,- at random from M n 
and an E at random from [C(l")], and run A n on input 

m i m 2 m 3 ... m nk 

E{ mi ) E[m 2 ) E{m z ) ... E{m n ,) 

(The output will be a string such that B n , on inputs (3 and 
^\.rn x ),...,E[m nk ) will output m x ,...,m nk with overwhelming probabil- 

_ Now consider the following experiment, n-EXP^. This time we again 
pick n messages and an E at random, but we also pick one more message, 
r at random from M n , and set p = E(r). Now we run A n with ," copies 
of p replacing the first i cyphertexts in its input, and then run B n on A 's 
output. A "picture" of A„'s input is 

m i ••• m i rrii+i ... m n t 
P ... p E(m i+X ) ... E{m nk ) 
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Definition We define the difference between n-EXPi and n-EXPj, 
d n {hj) to be the maximum of the average difference between 

1. the length of the f3s output by A n in the two experiments, and 

2. the frequency with which B n recovers the correct plaintexts in the 
two experiments. 

Claim 1: There exists a polynomial Q such that for an infinite subset 
N" C N and for all n e N" d n (0, n k ) > 1/Q(n). 

Proof of Claim 1: By contradiction. Assume that for all sufficiently 
large n, n-E~XP Q is indistinguishable from n-EXP n k. Then A n and B n still 
function successfully on input 

mj m2 rJis . . . m n t 
p p p ... p 

where mi,r,p, and E are as above. We now construct A' n , B' n to violate 
(••). We simply hardwire the encryption of some random string into a 
pair of circuits identical to A n and B n but not sharing cyphertext. By 
assumption, these circuits are a a c/d pair violating (**). □ 

Claim 2: For all n E N", there is a polynomial Q' and an t, < : < 
n k - 1, such that d n (i,i + 1) > 1/Q'(n). 

Proof of Claim 2: Fix n G N". d n (0,0) = and <2 n (0,n*) > 1/Q(n). 
Therefore, there must be an t such that d n (i,i + 1) > —^ — . □ 

n Q(n) 

Let n G JV". For simplicity, but WLOG, consider the case where t = 
in Claim 2, and d n (0, 1) is due to a difference in the length of A n 's output 
(rather than i3„'s success rate). 

Let us restate Claim 2 in a more convenient form. Consider the following 
joint experiment, n-EXP QX . Randomly draw r, m x , . . . ,m n k from M n and 
set E «— C(l"). Run both n-EXP and n-EXPi on the same inputs. That 
is, run n-EXPo on input 

mi m2 tn$ . . . Tn n k 

E{m x ) E(m 2 ) E{m s ) ... E{m n k) 
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to compute A n 's output (3 and run n-EXP l on input 

m i rrit m 3 ... m„i 

E{r) E(m 2 ) E(m 3 ) ... JE7(m„*) 

to compute A n 's output on this input, ft. The output of n-EXP 01 is 
|/?i I - 1^2 1 • Then, by the linearity of the average we get that the expected 
value of the output of n-EXP 01 is at least 1/Q'[n). 

From this it immediately follows that 

(* * •) there exist r, fh u m 2 , . . . , m„* in M n such that the expected value of 
the,output of n-EXP 01 is still greater than l/Q'{n) when the average 
of the length of (3 is computed only over the choice of E <- C(l n ) and 
of encryptions of messages. 

Now for all n e N" we can build a tapper T n that will succeed in 
distinguishing two messages m? and mj, described below. 

^ Fix f and m,- to be messages that fit the requirements of (•**). We set 
r n 's inputs: mj = fh x and m£ = f. T„ gets as inputs £ e [C(l")l, m" m" 
and a, where either a G [^(mj 1 )] or a e [E{rrq)\ 

T n picks m e {m^m?} at random and runs A n on input 

"■» m 2 m 3 ... m„t 

a £(m 2 ) £(m 3 ) ... £(m„ t ) 

to compute a /?. There is some threshold length value v for the experiment 
described at (• * *) such that if \0\ < v it is more likely that ae\E{fh x )] 
and if |/3 1 > v it is more likely that a£[E{r)}. Thus T„ compares \/3\ to v 
and outputs its verdict accordingly. Q.E.D. 

Notice that at several points in the proof we took advantage of the fact 
that T n is nonuniform, v is hardwired into T n , as are f,m u . . . , m n *. In 
fact, most of these uses of nonuniformity could be replaced by polynomial 
size Monte Carlo experiments. However, T n must be nonuniform since A n 
and B n are nonuniform. 
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One-Pass Scenarios 



In this chapter we present the proper definitions for one-pass cryptogra- 
phy, and then go on to show that these definitions are all equivalent to one 
another. (They are not equivalent to the three-pass definitions.) These 
definitions are all considerably more complicated than the analogous defi- 
nitions for the three-pass scenario. 



5.1 GM-security (1-pass) 

As discussed at the beginning of Chapter 3, for a one-pass cryptosystem, 
we must change from requiring security "for all messages m," to requiring 
security for every message m that is efficiently computable on input the 
encryption algorithm alone. In order to do this, we introduce an adversary 
called a message finder. 

A message finder is a family of polynomial-size probabilistic circuits 
F — {F n (-)} each of which takes the description of an encryption algorithm 
as its input and has two messages of length n as its output. Intuitively, on 
input E, F n tries to find mo and mi such that it's easy for a fellow adversary 
(a line tapper) to distinguish encryptions of m from encryptions of m^ 

Definition Let C be a public-key cryptosystem. C is GM-secure (one- 
pass) if for all message finders F, line tappers T, and c > 0, for all suffi- 
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ciently large n, 

Pr(r n (2?, mo , mi)Q:) = m , E «_ C(n . m0)mi ^_ Fn[E) . (5i) 

5.2 Semantic Security (1-pass) 

To change the definition of semantic security to fit the one-pass scenario 
we need to Produce something like the message finders of the p" v ous s c 

CaJ 0r m e emantlC K S T rit l' h ° WeVer ' WG ' re C ° nCerned not withfinXg two 
weak messages, but rather with the probability distribution of the Z 

t*e message space. Thus our second adversary will not pick out particular 
mes but mstead set ^ probabmty distribut . on ^ P^ ut „ ar 

tW TKM'-r/ " eXpIkitly giVe the ° ther adve -ary a description of 
that probability distribution. wcnpuon or 

cniU B -7b t'n V n tl ^ I f T ' y ° f V^™™^™ Pr°babil is tic cir- 
L it 7nm, t^' ? ? B : tak6S the descri P«™ of a encryption algorithm 
as its mput and output, the description of a probabilistic Turing machine 
N(). N outputs elements of {<,,!}■ with some probability distriburion 

As in the three-paas definition, we let V be any set and iet T = 
V„ -".-MiE [C(n)]} be any set of functions. Aeain set u E 
m beth. probability of the most probabie value for /(m)?£ rf'i 

Definition Let C be a public-key cryptosystem. C is semantical* secure 

rti s 7-7rr T" T my o '/ amHy ° f P°^»^™ probabiHstL 
circuits A - {,!„(., ., .)}, and c > 0> for aU suffidentIy Jarge n 

Pr(A n (E,N,a) = /* ( m) | £ «_ c(1 » ); ^ _ ^ ); ^ 

m+-N(); a*-E(m)) < pf + -. 
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5.3 Y-security (1-pass) 

The changes that must be made to the definition of Y-security are com- 
pletely analogous to the changes we made to the definition of semantic 
security. 



5.4 Equivalence 

The proofs that the three definitions of security are all equivalent are quite 
similar to the proofs for the three-pass case. Here we will redo only the 
proof of the-easiest of the four implications, semantic security implies GM- 
security. This proof shows the additional details that must be taken into 
consideration when working with the one-pass scenario. 

Theorem 4 GM-security (1-pass), semantic security (1-pass), and Y-se- 
curity (1-pass) are all equivalent. 

Proof that semantic security (1-pass) implies GM-security (l-pass): We 
will, as usual, prove the contrapositive. Let C be a public-key cryptosystem 
that is not GM-secure. We know that there exist a message finder family of 
circuits F = {F n } and a line tapper family of circuits T = {T n }. We will use 
the F n as subroutines (circuit components to be precise) for building our 
message space enemy circuits and then use the T n to do the distinguishing. 

Our message space enemy, B n , on input an encryption algorithm E e 
[C(l n )], runs F n with input E. F n outputs two messages, m ,m l <= {0, l} n . 
B n outputs the design of a Turing machine N{) such that 

N outputs ( m ° With P robab ^ty 1/2 
[ m x with probability 1/2 

An adversary A who uses T n as a subroutine can distinguish encryp- 
tions of m from encryptions of m x . In other words, on the message space 
defined by the output of N(), A can compute the function f[m) = m (with 
probability greater than at random) given only an encryption of m. A gets 
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... 'rt :: n ,',*i;„-;;, o ."~- - '•- •" •»- «*-•>■ 

Pr(2 , n(£,mo I m 1) a)=m|i;+-C(l n ); ( 5 3} 

»"o.'ni^^);»n t -{ m0imi }; 

cJX^";^"^ " in fact says that Pr(A -*— /m = - 



Appendix A 
Proof of Lemma 1 

In this appendix we provide a proof of Lemma 1. 

Let X be a random variable having a binomial distribution with n trials 
and probability of success p. For < p, a < 1, define 

/(p,a)=alog- + (l-a)logfi-^J. (A.l) 

Chernoff [2] gave the following upper bound for estimating Pt(X < an). 
Theorem 5 (Chernoff) For < a < p, we have Pr(X < an) < e -/ ( p,a ). 
The following useful fact was pointed out to me by Ravi Boppana [l]. 
Theorem 6 For 0<a<|<p<l, we have f(p, a) > 2(p - a) 2 . 
Proof We first compute 

-£- = log - - log . A.2 

da p \1 — p J 

Notice that for all p G [0, l], f(p,p) and |£ (p,p) are equal to zero. Taylor's 
theorem (see, for instance, [9]) states that for any "nice" real function g 
defined on [o;,/3], 

3x e [a,/?] : gift) = £ 9 -^£>(a - /?)* + 9 -^-(a - /?)». (A.3) 
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Thus, taking Equation A. 3 with n = 2 
that 
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/(P,a) = i/(p,x)^ 



we see that there is a x E [a, p] such 

(A.4) 



Differentiating / again, we see that f^fp x) = 1 



f{p, a) = 



2x(l - x) 



(P ~ ct) : 



> 



mm 



*e[<*,p] V2x(l-i) 



{p ~ ccf 



so 



(A.5) 
(A.6) 



,.,/""; ^ nCti ° n Z ~ SffciJ a increasing on [1/2,1]. Thus inequality A.6 
still holds if we take x = 1/2 and rewrite the right hand side as 2(p - «)» 
which completes our proof. Q.E.D. ' 

Recall that Lemma 1 states that for < a < 1/2 < p < l, 

Pr(X < an) < e^-") 2 ". ( A7) 

Inequality A.7 follows as an immediate corollary of Theorems 5 and 6. 
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